On 05/04/2018 18:55, Wayne Thayer wrote:
On Thu, Apr 5, 2018 at 3:15 AM, Dimitris Zacharopoulos <[email protected]>
wrote:
My proposal is "CAs MUST NOT distribute or transfer private keys and
associated certificates in PKCS#12 form through insecure physical or
electronic channels " and remove the rest.
+1 - I support this proposal.
But that removes the explicit exception for methods such as the
following *example* protocol (securing such a protocol is the job and
expertise of the affected CAs).
1. Set the notBefore data in the new certificate several days or weeks
into the future.
2. Securely store the PKCS#12 or other private key format on a USB
stick, USB token or smartcard.
3. Place that device in a physically sealed envelope or package.
4. Send it through regular postal mail (an insecure physical channel).
5. Upon receiving the envelope/package, the subscriber must verify that
the seal is unbroken and acknowledge that, through a secure electronic
channel. The procedure may/should include additional steps to verify
that the sealed envelope/package is the same one sent.
6. If this is not done before the certificate's notBefore date, the
certificate is preemptively revoked due to private key compromise and
issuance is retried with a new key.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
